SECURITY.CONF(5) File Formats Manual SECURITY.CONF(5)
security.conf -- daily security check configuration file
The security.conf file specifies which of the standard /etc/security
services are performed. The /etc/security script is run, by default,
every night from /etc/daily, on a NetBSD system, if configured do to so
The variables described below can be set to "NO" to disable the test:
check_passwd This checks the /etc/master.passwd file for
check_group This checks the /etc/group file for
check_rootdotfiles This checks the root users startup files for
sane settings of $PATH and umask. This test
is not fail safe and any warning generated
from this should be checked for correctness.
check_ftpusers This checks that the correct users are in the
check_aliases This checks for security problems in the
/etc/mail/aliases file. For backward
compatibility, /etc/aliases will be checked as
well if exists.
check_rhosts This checks for system and user rhosts files
with "+" in them.
check_homes This checks that home directories are owned by
the correct user, and have appropriate
check_varmail This checks that the correct user owns mail in
/var/mail, and that the mail box has the right
check_nfs This checks that the /etc/exports file does
not export filesystems to the world.
check_devices This checks for changes to devices and setuid
check_mtree This runs mtree(8) to ensure that the system
is installed correctly. The following
configuration files are checked:
Default files to check.
Local site additions and overrides.
Specification for the directory DIR.
check_disklabels Backup text copies of the disklabels of
available disk drives into
/var/backups/work/disklabel.XXX, and display
any differences in those and the previous
copies as per check_changelist below. If
fdisk(8) is available on the current platform,
the output of /sbin/fdisk for each available
disk drive is stored in
/var/backups/work/fdisk.XXX, and any
differences displayed as per the disklabels.
check_pkgs This stores a list of all installed pkgs into
/var/backups/work/pkgs and checks it for any
check_changelist This determines a list of files from the
contents of /etc/changelist, and the output of
mtree -D for /etc/mtree/special and
/etc/mtree/special.local. For each file in
the list it compares the files with their
backups in /var/backups/file.current and
/var/backups/file.backup, and displays any
differences found. The following mtree(8)
tags modify how files are determined from
exclude The entry is ignored; no
backups are made and the
differences are not displayed.
This includes dynamic or binary
files such as /var/run/utmp.
nodiff The entry is backed up but the
differences are not displayed
because the contents of the
file are sensitive. This
includes files such as
check_pkg_vulnerabilities Checks the currently installed packages
against a database of known vulnerabilities
and reports those that are vulnerable. Check
the fetch_pkg_vulnerabilities setting in
daily.conf(5) to keep the database up to date.
check_pkg_signatures Checks the digital signature of all files
installed by packages against the expected
values stored in the packages database.
The variables described below can be set to modify the tests:
During the check_homes phase, allow the checked files to
be group-writable if the group name is the same as the
Lists filesystem types to ignore during the check_devices
phase. Prefixing the type with a `!' inverts the match.
For example, `procfs !local' will ignore `procfs' type
filesystems and filesystems that are not `local'.
Lists pathnames to ignore during the check_devices phase.
Prefixing the path with a `!' inverts the match. For
example, `/tftp' will ignore paths under /tftp while
`!/home' will ignore paths that are not under /home.
During the check_mtree phase, instruct mtree to follow
symbolic links. Please note, this may cause the
check_mtree phase to report errors for entries for these
symbolic links (i.e. of type=link in the mtree
specification) as they will always appear to be plain
files for the purposes of the check.
/etc/mtree/special.local may be used to override the
checks for the affected links.
If check_passwd is enabled, most warnings will be
suppressed for entries whose shells are listed in this
space-separated list. This is of particular value when
those shells are not in /etc/shells.
If check_passwd is enabled, suppress warnings for these
If check_passwd is enabled, do not warn about login names
which use non-alphanumeric characters.
If check_passwd is enabled, do not warn about password
fields set to ``*''. Note that the use of password fields
such as ``*ssh'' is encouraged, instead.
max_grouplen If check_group is enabled, this determines the maximum
permitted length of group names.
max_loginlen If check_passwd is enabled, this determines the maximum
permitted length of login names.
backup_dir Change the backup directory from /var/backup.
diff_options Specify the options passed to diff(1) when it is invoked
to show changes made to system files. Defaults to ``-u'',
for unified-format context-diffs.
pkgdb_dir DEPRECATED. Please set PKGDB_DIR in pkg_install.conf(5)
If defined, points to the location of the packages
database. Defaults to /var/db/pkg.
Use rcs(1) for maintaining backup copies of files noted in
check_devices, check_disklabels, check_pkgs, and
check_changelist instead of just keeping a current copy
and a backup copy.
/etc/defaults/security.conf defaults for /etc/security.conf
/etc/security daily security check script
/etc/security.conf daily security check configuration
/etc/security.local local site additions to /etc/security
The security.conf file appeared in NetBSD 1.3. The check_disklabels
functionality was added in NetBSD 1.4. The backup_uses_rcs and
check_pkgs features were added in NetBSD 1.6. diff_options appeared in
NetBSD 2.0; prior to that, traditional-format (context free) diffs were
NetBSD 6.1.5 February 5, 2010 NetBSD 6.1.5